Salesforce issues new security alert tied to third customer attack spree in six months

Salesforce issues new security alert tied to third customer attack spree in six months

https://cyberscoop.com/salesforce-experience-cloud-customers-attacks/

Publish Date: 2026-03-11 11:01:00

Source Domain: cyberscoop.com

Threat hunters and a collection of unconfirmed victims are responding to a series of attacks targeting Salesforce customers, which the vendor disclosed in a security advisory Saturday. 

“Salesforce is actively monitoring threat activity targeting public-facing Experience Cloud sites, including attempts to take advantage of overly permissive guest user configurations,” the company said in the alert.

The campaign marks the third widespread attack spree targeting Salesforce customers in about six months. 

The number of victims ensnared by the latest attacks is unverified, but ShinyHunters, the threat group asserting responsibility for the attacks, claims about 100 companies have already been impacted. 

Researchers told CyberScoop they are confident the threat group behind the campaign is associated with ShinyHunters, an outfit that’s previously stolen data from Salesforce instances for extortion attempts.

Salesforce did not attribute the attacks, but pinned blame on a “known threat actor group,” adding that the issue is not due to a vulnerability in the company’s platform.

The company said the threat activity reflects a broader trend of identity-based targeting, in this case customer-configured guest user settings that expose publicly accessible Experience Cloud sites to potential attacks.

“We are aware of a threat actor attempting to identify misconfigurations within Salesforce Experience Cloud instances,” Charles Carmakal, chief technology officer at Mandiant Consulting, said in a statement. “We are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk.”

Salesforce said the threat actor is using a modified version of the Mandiant-developed open-source tool AuraInspector to scan for public-facing Experience Cloud sites and steal data from instances with a guest user profile. 

This setting is designed to provide unauthenticated…

Source